Changes in the Administration Framework

Directory Server 11g Release 1 (11.1.1) does not include an administration
server, as in 5.2 versions. Servers are now registered in the Directory Service Control Center (DSCC)
and can be administered remotely by using the web-based GUI or the command-line
tools.

To migrate to the new administration framework, you need to do the following:

Upgrade each server individually

Register each server in the DSCC

Removal of the ServerRoot Directory

In the new administration model, a Directory Server instance is no
longer tied to a ServerRoot. Each Directory Server instance
is a standalone directory that can be manipulated in the same manner as an
ordinary standalone directory.

Removal of the o=netscapeRoot Suffix

In previous versions of Directory Server, centralized administration
information was kept in o=netscapeRoot. In the new administration
model, the concept of a configuration directory server no
longer exists. The o=netscapeRoot suffix is no longer required,
and the netscapeRoot database files are therefore not migrated. The configuration data for this suffix can be migrated,
if it is specifically required.

Changes to ACIs

The following changes have been made to ACIs in Directory Server 11g Release 1 (11.1.1).

Changes in the ACI Scope

In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 11g Release 1 (11.1.1),
ACIs on the root DSE have global scope by default, equivalent to targetscope="subtree".

To reproduce the same behavior as Directory Server 5.2,
add targetscope="base" to ACIs on the root DSE. If you
use dsmig to migrate the configuration, this is done automatically.

Changes in Suffix-Level ACIs

In Directory Server 5.2, the following ACI was provided, at the suffix
level:

This ACI allowed self-modification of user passwords, among other things.
This ACI is no longer provided in Directory Server 11g Release 1 (11.1.1).
Instead, the following global ACIs are provided by default:

In Directory Server 11g Release 1 (11.1.1), the default userPassword ACI at root DSE level provides equivalent access control to the
default legacy ACI at suffix level. However, if you want to reproduce exactly
the same access control as in legacy version, add the following ACI to your
suffix. This ACI is the legacy ACI, with the new password policy operational
attributes for Directory Server 11g Release 1 (11.1.1).

Do not allow users write access to everything and then deny write
access to specific attributes. Instead, explicitly list the attributes to
which you allow write access.

Command Line Changes

The functionality of most command-line tools is replaced by only two
commands: dsadm and dsconf.

The following table shows commands used in Directory Server 5.2,
and the corresponding commands for Directory Server 6, and 11g Release 1 (11.1.1).
In version 11g Release 1 (11.1.1), the default path of these commands when installed
from native packages is /opt/SUNWdsee7/bin. When installed
from the zip installation, the default path is install-path/dsee7/bin.

A grace login limit, specified by the pwdGraceAuthNLimit attribute. This attribute specifies the number of times an expired
password can be used to authenticate. If it is not present or if it is set
to 0, authentication will fail.

Safe password modification, specified by the pwdSafeModify attribute. This attribute specifies whether the existing password
must be sent when changing a password. If the attribute is not present, the
existing password does not need to be sent.

Changes to Plug-Ins

This section lists the new plug-ins that have been added in Directory Server since
version 5.2. The section also describes what you need to do if you have custom
plug-ins created with the old plug-in API.

Changes to the Installed Product Layout

This section summarizes the changes to the installed product layout
from Directory Server 5.2. Several files and utilities have been deprecated
since Directory Server 5.2, as described in the following sections.

Administration Utilities Previously Under ServerRoot

In Directory Server 11g Release 1 (11.1.1) the Administration Server
is no longer used to manage server instances.

The following system administration utilities previously located under ServerRoot have therefore been deprecated:

restart-admin

start-admin

startconsole

stop-admin

uninstall

Binaries Previously Under ServerRoot/bin

The following utilities under ServerRoot/bin have been deprecated:

ServerRoot/bin/admin/admconfig

ServerRoot/bin/https/bin/ns-httpd

ServerRoot/bin/https/bin/uxwdog

ServerRoot/bin/slapd/server/ns-ldapagt

On Solaris SPARC, the ns-slapd daemon is located
in install-path/lib/sparcvSolaris-Version. On platforms other than Solaris SPARC, the ns-slapd daemon is located in install-path/lib.

Libraries and Plug-Ins Previously Under ServerRoot/lib

Product libraries and plug-ins in Directory Server 5.2 were located
under ServerRoot/lib. In Directory Server 11g Release 1 (11.1.1),
on Solaris SPARC, these libraries and plug-ins are located in install-path/lib/sparcvSolaris-Version.
On platforms other than Solaris SPARC, they are located directly under install-path/lib.

Online Help Previously Under ServerRoot/manual

Console online help files were previously located under ServerRoot/manual. The console online help files
for Directory Server 11g Release 1 (11.1.1) are located under /opt/SUNWdsee7/resources/dcc7app/html.

Plug-Ins Previously Under ServerRoot/plugins

The following tables describes the new location of sample server plug-ins,
and header files for plug-in development.

SNMP support is no longer handled within Directory Server. SNMP monitoring
is now handled by the Java Enterprise System Monitoring Framework (Java ES
MF). All plug-ins and binaries related to SNMP have therefore been deprecated
within Directory Server.

Utilities Previously Under ServerRoot/shared/bin

The following tables describes the new location of the administrative
tools previously under ServerRoot/shared/bin. Note that as a result of the change to the administrative framework,
some of these tools have been deprecated.

Table 8–4 Tools Previously Under ServerRoot/shared/bin

5.2 File

11g Release 1 (11.1.1) File

Purpose

ServerRoot/shared/bin/admin_ip.pl

Deprecated

Change IP address

ServerRoot/shared/bin/entrycmp

install-path/bin/entrycmp

Compare entries for replication

ServerRoot/shared/bin/fildif

install-path/bin/fildif

Dump filtered LDIF

ServerRoot/shared/bin/insync

install-path/bin/insync

Check replication synchronization

ServerRoot/shared/bin/ldapcompare

/opt/SUNWdsee/dsee6/bin/ldapcompare

Compare attribute value

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapdelete

/opt/SUNWdsee/dsee6/bin/ldapdelete

Delete directory entry

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapmodify

/opt/SUNWdsee/dsee6/bin/ldapmodify

Modify directory entry

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/ldapsearch

/opt/SUNWdsee/dsee6/bin/ldapsearch

Find directory entries

In Directory Server 11g Release 1 (11.1.1), you must install the SUNWldapcsdk-tools package to get this utility

ServerRoot/shared/bin/modutil

Deprecated

Manage PKCS #11 modules

ServerRoot/shared/bin/uconv

Deprecated

Convert from ISO to UTF-8

ServerRoot/shared/bin/repldisc

install-path/bin/repldisc

Discover replication topology

Note –

The paths for ldapcompare, ldapdelete, ldapmodify, and ldapsearch are from the SUNWldapcsdk-tools package.

Certificate and Key Files

The following table shows the new locations of the certificate and key
files in Directory Server 11g Release 1 (11.1.1).

Table 8–5 Location of Certificate
and Key Files

5.2 File

11g Release 1 (11.1.1) File

Remarks

ServerRoot/shared/config/certmap.conf

instance-path/alias/certmap.conf

Configuration file for mapping certificates to directory entries

ServerRoot/alias/cert8.db

instance-path/alias/slapd-cert8.db

Trusted certificate database file

ServerRoot/alias/key3.db

instance-path/alias/slapd-key3.db

Database file containing client keys

ServerRoot/alias/secmod.db

instance-path/alias/secmod.db

Database file containing security modules such as PKCS#11

Silent Installation and Uninstallation Templates

In Directory Server 5.2, the ServerRoot/setup5 directory contained sample templates for silent installation and
uninstallation. Silent installation and uninstallation are no longer needed
for Directory Server 11g Release 1 (11.1.1) and these files have therefore
been deprecated.

Server Instance Scripts Previously Under ServerRoot/slapd-ServerID

The command-line administration scripts previously under ServerRoot/slapd-ServerID have
been replaced in the new administration framework and deprecated. These commands
and their Directory Server 11g Release 1 (11.1.1) equivalents are described
in Command Line Changes.

Server Instance Subdirectories

The following table describes the new locations for the configuration,
log and backup data previously located under ServerRoot/slapd-instance-name